1. No category

as a PDF

A TECHNICAL PUBLICATION OF ASSE’S ENGINEERING PRACTICE SPECIALTY
ByDesign
www.asse.org
AMERICAN SOCIETY OF SAFETY ENGINEERS
Prevention through Design:
Addressing Occupational Risks
in the Design & Redesign Processes
By Fred A. Manuele, P.E., CSP
T
he National Institute for Safety and
Health (NIOSH) held a workshop
in July 2007 to obtain the views of
a variety of stakeholders on a major initiative to “create a sustainable national
strategy for Prevention through Design.”
Some of the participants expressed the
view that the long-term impact of the
NIOSH initiative could be “transformative,” meaning that a fundamental shift
could occur in the practice of safety
resulting in greater emphasis being given
to the higher and more effective decision
levels in the hierarchy of controls. For
this initiative, the NIOSH Mission is:
To reduce the risk of occupational
injury and illness by integrating
decisions affecting safety and health
in all stages of the design process.
To move toward fulfillment of its mission, NIOSH Director Dr. John Howard
has said that:
One important area of emphasis will be
to examine ways to create a demand for
graduates of business, architecture, and
engineering schools to have basic
knowledge in occupational health and
safety principles and concepts.
The Prevention through Design (PtD)
initiative is based on the premise, as stat-
ed in NIOSH literature, that “One of the
best ways to prevent and control occupational injuries, illnesses, and fatalities is
to design out or minimize hazards and
risks early in the design process.” A definition of PtD was written that limited the
activity to “early in the design process.”
At the July 2007 workshop, a large number of participants wanted the concept
extended to include the redesign activities
in which they are participants. A revised
definition was written.
Prevention through Design (PtD):
Addressing occupational safety and
health needs in the design and
redesign processes to prevent or
minimize the work-related hazards
and risks associated with the construction, manufacture, use, maintenance, and disposal of facilities,
materials and equipment.
Enthusiasm for additional knowledge
of prevention through design principles
and practices was significant. Several
attendees said it would be helpful if a regulation or a standard was in place that
sets forth the principles and the methodologies to address hazards and risks in the
design and redesign processes. The probability that OSHA could promulgate a
T
he Engineering Practice Specialty (EPS)
has developed this special issue of
ByDesign to highlight the importance of
designing out or minimizing hazards and risks
early in the design and redesign processes to
prevent and control occupational injuries, illnesses and fatalities. Fred A. Manuele, P.E.,
CSP, president of Hazards Limited, has
authored this issue’s featured article, “Prevention through Design: Addressing Occupational
Risks in the Design and Redesign Processes.”
EPS believes this article effectively explains the
core of the prevention through design concept,
and we hope that such concepts will lead to
established principles, methodologies and standards for controlling hazards and risks during
the design and redesign processes.
Bruce L. Rottner
Engineering Practice Specialty
Administrator
regulation or a standard on Prevention
through Design is remote. It is more
probable that an ANSI standard could be
developed and approved, but that could
take several years. For example,
ANSI/AIHA Z10-2005, the Occupational
Health and Safety Management Systems
Standard, was published 6 years after the
secretariat received ANSI approval to
begin work on it.
Assume that the NIOSH initiative,
which is a several-year undertaking, is
successful. Since hazards analyses and
risk assessments are the core of the PtD
concept, the impact on safety practitioners with respect to their knowledge needs
will be significant. As a primer, this paper
is written to address those needs.
Promoting the acquisition of knowledge of safety through design/prevention
continued on page 2
continued from page 1
through design concepts is in concert
with the ASSE position paper on designing for safety approved by the Board of
Directors in 1994. The opening paragraph
of that paper reads as follows.
Designing for Safety (DFS) is a
principle for design planning for
new facilities, equipment, and operations (public and private) to conserve human and natural resources,
and thereby protect people, property and the environment.
DFS advocates systematic process
to ensure state-of-the-art engineering
and management principles are used
and incorporated into the design of
facilities and overall operations to
assure safety and health of workers,
as well as protection of the environment and compliance with current
codes and standards.
1.0 Scope & Purpose
1.1 This paper provides guidance on
incorporating decisions pertaining to
occupational risks into design and
redesign processes, including consideration of the life cycle of facilities, materials and equipment.
1.2 The goals of applying prevention
through design principles are to:
1.2.1 Achieve safety, defined as that
state for which the risks are at an acceptable level, and
1.2.2 Minimize the occurrence of occupational injuries, illnesses and fatalities.
Since this paper is prompted by a
NIOSH initiative, and since NIOSH
is exclusively an occupational safety and health entity, the scope of
this paper relates principally to the
elimination, reduction or control of
occupational risks.
But, it would be folly to ignore
the fact that the events or exposures
that have the potential to result in
occupational injuries and illnesses
can also result in damage to property and business interruption, and
damage to the environment.
Reference is made in several places
in this paper to those additional
loss potentials.
Thus, the definition of safety
through design, a broader definition
than that for PtD, is included in the
list of definitions.
2.0 Application
2.1 While these guidelines apply to all
occupational settings, the focus is on providing assistance to managements, design
engineers, and safety professionals at
smaller locations, say with 500 or fewer
employees.
2.2 These guidelines apply to the three
major elements in the practice of safety:
2.2.1 Pre-operational, in the design
process – where the opportunities are
greatest and the costs are lower for hazard
and risk avoidance, elimination, or control.
2.2.2 In the operational mode – where
hazards are to be eliminated or controlled
and risks reduced before their potentials
are realized and hazards-related incidents
or exposures occur.
2.2.3 Post-incident as investigations
are made of hazards-related incidents and
exposures to determine causal factors and
risk reduction measures.
3.0 Definitions
Acceptable risk: That risk for which
the probability of a hazard-related incident
or exposure occurring and the severity of
harm or damage that may result are as low
as reasonably practicable, and tolerable in
the setting considered. (This definition
incorporates the ALARP concept.)
ALARP: That level of risk which can
be further lowered only by an increment
in resource expenditure that cannot be justified by the resulting decrement of risk.
Design: The process of converting an
idea or market need into the detailed
information from which a product or
technical system can be produced.
Hazard: Potential for harm. Hazards
include all aspects of technology and
activity that produce risk. Hazards
include the characteristics of things
(equipment, dusts) and the actions or
inactions of people.
Hazard analysis: A process that commences with recognition of a hazard and
proceeds into an estimate of the severity
of harm or damage that could result if a
hazard’s potential is realized and a hazard-related incident or exposure occurs.
Hierarchy of controls: A systematic
way of thinking, considering steps in a
ranked and sequential order, to choose the
most effective means of eliminating or
reducing hazards and the risks that derive
from them.
Life cycle: The phases of the facility,
equipment and material, including: design
2 Special Issue Prevention through Design
Engineering
Practice Specialty
ByDesign
OFFICERS
ADMINISTRATOR
Bruce L. Rottner
201.287.1766
[email protected]
ASSISTANT ADMINISTRATOR
J. Nigel Ellis
302.571.8470
[email protected]
NEWSLETTER EDITOR
J. Nigel Ellis
[email protected]
COMMITTEES
AWARDS & HONORS
Open
BODY OF KNOWLEDGE
Dennis Neitzel
[email protected]
CONFERENCES & SEMINARS
Open
MEMBERSHIP DEVELOPMENT
Gina Mayer-Costa
[email protected]
NOMINATIONS
John W. Mroszczyk
[email protected]
WEBSITE DEVELOPMENT
Magdy Akladios
[email protected]
STAFF LIAISON
Rennie Heath
847.768.3436
[email protected]
NEWSLETTER DESIGN &
PRODUCTION
Susan Carlson
ASSE headquarters staff
[email protected]
ByDesign is a publication of ASSE’s Engineering
Practice Specialty, 1800 E. Oakton St., Des Plaines,
IL 60018, and is distributed free of charge to members of the Engineering Practice Specialty. The opinions expressed in articles herein are those of the
author(s) and are not necessarily those of ASSE.
Technical accuracy is the responsibility of the
author(s). Please send address changes to the
address above; fax to (847) 768-3434; or send via
e-mail to [email protected].
and construction, operation, maintenance,
and disposal.
Prevention through Design: Addressing occupational safety and health needs in
the design and redesign processes to prevent or minimize the work-related hazards
and risks associated with the construction,
manufacture, use, maintenance, and disposal of facilities, materials and equipment.
Probability: The likelihood of an incident or exposure occurring that could
result in harm or damage—for a selected
unit of time, events, population, items or
activity considered.
Residual risk: The risk remaining after
preventive measures have been taken. No
matter how effective the preventive actions,
there will always be residual risk if a facility or operation continues to exist.
Risk: An estimate of the probability of
a hazards-related incident or exposure
occurring and the severity of harm or
damage that could result.
Risk assessment: A process that commences with hazard identification and
analysis, through which the probable severity of harm or damage is established, and
concludes with an estimate of the probability of the incident or exposure occurring.
Safety: That state for which the risks
are at an acceptable level, and tolerable in
the setting being considered.
Safety through Design: The integration of hazard analysis and risk assessment methods early in the design and
redesign processes and taking the actions
necessary so that the risks of injury or
damage are at an acceptable level. This
concept encompasses facilities, hardware,
equipment, tooling, materials, layout and
configuration, energy controls, environmental concerns, and products.
Severity: The extent of harm or damage that could result from a hazard-related incident or exposure.
4.0 Responsibility
4.1 Location management shall provide
the leadership to institute and maintain a
policy and procedures within the design
and redesign processes through which:
4.1.1 Hazards are identified and analyzed.
4.1.2 Risks deriving from identified
hazards are assessed and prioritized.
4.1.3 Risks are reduced to an acceptable
level through the application of the hierarchy of controls described in Section 13.
4.2 These methods are to be applied
when:
4.2.1 New facilities, equipment, and
processes are acquired.
4.2.2 Alterations are made in existing
facilities, equipment, and processes.
4.2.3 Incident investigations are made.
4.3 All who have design responsibilities,
the operations personnel who will be affected, and safety practitioners are to be involved as participants in the decision making.
4.4 In carrying out these responsibilities, management may:
4.4.1 Designate qualified in-house personnel to identify and analyze hazards
and assess the risks deriving from them
for operations in place.
4.4.2 Engage independent contractors
with capabilities in hazard identification
and analysis and risk assessments as consultants to assist with respect to operations in place and in the acquisition of
new facilities, equipment or materials.
4.4.3 Enter into arrangements with
suppliers of newly acquired facilities,
equipment or materials to fulfill these
responsibilities, as in 5.0.
applicable standards, among which
is ISO 12100-1, Safety of Machinery:
Basic concepts, general principles
for design; Part 1, Basic terminology, methodology. That standard
requires that risk assessments be
made as outlined in ISO 14121,
Safety of Machinery: Principles for
risk assessments.
5.1.5 Arrange for persons on the organization’s staff (design engineers, safety
practitioners, and maintenance personnel)
to visit the supplier of equipment that the
staff may consider hazardous or for
which design specifications have been
provided the supplier before the equipment is shipped to assure that safety
needs have been met.
5.1.6 See that a test run of the equipment is made during that visit.
5.1.7 Have an additional validation test
run made after the equipment has been
installed during which safety personnel or
others sign off that safety needs have
been met.
5.0 Relationships with Suppliers
6.0 Making Hazards Analyses
& Risk Assessments
5.1 A large majority of employers will
not have design or technical staffs in
depth to fulfill the requirements of 4.0.
Thus, to avoid bringing hazards and risks
into the workplace when new facilities,
equipment and processes are considered
and to assure that hazards and risks are
properly considered when alterations are
made in existing operations by contractors, location management should:
5.1.1 Establish its design specifications
and objectives.
5.1.2 Have an in-depth dialogue with
suppliers and contractors on the expected
use of the facilities, equipment and
processes.
5.1.3 Include specifications in purchasing agreements and contracts for services
to minimize bringing hazards and their
related risks into the workplace.
5.1.4 Ask suppliers of services to attest
that processes have been applied to identify and analyze hazards and to reduce the
risks deriving from those hazards to an
acceptable level.
There is a precedent for such an
arrangement. Manufacturers of
equipment to go into a workplace in
the European Community are
required by International Organization for Standardization (ISO) standards to certify that they have met
6.1 For many hazards and the risks
that derive from them, knowledge gained
by management personnel, design engineers and safety practitioners through
education and experience will lead to
proper conclusions on how to attain an
acceptable risk level without bringing
teams of people together for discussion.
6.2 For more complex risk situations, it
is vital to seek the counsel of experienced
personnel at all levels who are close to the
work or process. Reaching group consensus is a highly desirable goal. Sometimes,
for what a safety professional considers
obvious, achieving consensus is still desirable so that buy-in is obtained for the
actions to be taken.
6.3 The goal of the risk assessment
process is to achieve acceptable risk levels.
The process is not complete until acceptable risk levels are achieved.
6.4 A general guide follows in 7.0 on
how to make a hazard analysis and how to
extend the process into a risk assessment.
6.5 Whatever the simplicity or complexity of the hazard/risk situation, and whatever analysis method is used (there are
many), the thought and action process in
7.0 applies.
continued on page 4
By Design 3
continued from page 3
7.0 The Hazard Analysis
& Risk Assessment Process
Although the focus in this paper is on
eliminating, reducing, and controlling occupational risks, the process
outlined here is equally applicable in
avoiding injury to the public, damage
to property and business interruption,
damage to the environment, and
product liability incidents.
7.1 Establish the analysis parameters.
Select a manageable task, system, process
or product to be analyzed, and establish its
boundaries and operating phase (e.g., standard operation, maintenance, startup).
7.1.1 Define its interface with other
tasks or systems, if appropriate.
7.1.2 Determine the scope of the
analysis in terms of what can be harmed
or damaged—people (employees, the
public); property; equipment; productivity; the environment.
7.2 Identify the hazard. A frame of
thinking should be adopted that gets to
the bases of causal factors, which are hazards. These questions should be asked:
7.2.1 What are the aspects of technology or activity that produce risk?
7.2.2 What are the characteristics of
things (equipment, dusts) or the actions or
inactions of people that present a potential for harm?
7.2.3 Depending on the complexity of
the hazardous situation, some or all of the
following may apply.
a) Use intuitive engineering and operational sense.
b) Examine system specifications and
expectations.
c) Review codes, regulations, and consensus standards.
d) Interview current or intended system users or operators.
e) Consult checklists.
f) Review studies from similar systems.
g) Consider the potential for unwanted
energy releases.
h) Take into account possible exposures to hazardous environments.
i) Review historical data – industry
experience, incident investigation reports,
OSHA and National Safety Council data,
manufacturer’s literature.
j) Brainstorm.
7.3 Consider the failure modes. Define the possible failure modes that would
result in realization of the potentials of the
hazards. Both the intentional and foreseeable misuse of facilities, equipment, and
materials should be considered. Ask:
7.3.1 What circumstances can arise
that would result in the occurrence of an
undesirable event?
7.3.2 What controls are in place that
mitigate against the occurrence of such an
event or exposure?
7.3.3 How effective are the controls?
7.3.4 Can controls be maintained easily?
7.3.5 Can controls be defeated easily?
7.4 Determine the frequency and
duration of exposure. For each harm or
damage category selected for the scope of
the analysis (people, property, business
interruption etc.), estimate the frequency
and duration of the exposure to the hazard. This is a very important part of this
exercise. For instance, in a workplace situation, more judgments than one might
realize will be made in this process. Ask:
7.4.1 How often is a task performed?
7.4.2 How long is the exposure period?
7.4.3 How many people are exposed?
7.4.4 What property or aspects of the
environment are exposed?
7.5 Assess the severity of consequences. On a subjective basis, the goal
is to decide on the worst credible consequences should an incident occur, not the
worst conceivable consequence. (In
Section 11.0, see Tables 7 and 8 for
examples of severity categories.)
Historical data can be of great value as a
baseline. Informed speculations are made
to establish the consequences of an incident or exposure. Consider the:
7.5.1 Number of injuries or illnesses
and their severity and fatalities.
7.5.2 Value of property or equipment
damaged.
7.5.3 Time for which the business will
be interrupted and productivity will be lost.
7.5.4 Extent of environmental damage.
When the severity of the outcome of
a hazards-related incident or exposure is determined, a hazard analysis has been completed.
7.6 Determine occurrence probability. Extending the hazard analysis into a
risk assessment requires the one additional
step of estimating the likelihood or probability of a hazardous event or exposure
occurring. (In Section 11.0, see Tables 5
and 6 for possible probability categories.)
7.6.1 Unless empirical data are avail-
4 Special Issue Prevention through Design
able (and that would be a rarity), the
process for selecting the probability that
an incident or exposure will occur is
subjective.
7.6.2 For the more complex hazardous
situation, brainstorming with knowledgeable people is necessary.
7.6.3 To be meaningful, probability
must be related to an interval base of
some sort, such as a unit of time or activity, events, units produced, or the life
cycle of a facility, equipment, process, or
a product.
7.7 Define the risk. Conclude with a
statement that includes the:
7.7.1 Probability of a hazards-related
incident or exposure occurring.
7.7.2 Expected severity of adverse
results.
7.7.3 Risk category. (For example,
high, serious, moderate or low.)
7.7.4 A risk assessment matrix should
be used to identify risk categories. A
matrix assists in communicating with the
decision makers on the risk levels. (See
Section 9.0 for examples of risk assessment matrices.)
7.8 Rank risks in priority order. A
risk ranking system should be adopted so
that priorities can be established.
7.8.1 Since the risk assessment exercise is subjective, the risk ranking system
would also be subjective.
7.8.2 Prioritizing risks gives management the knowledge needed on the potentials risks produce for harm or damage so
that intelligent resource allocations can be
made for their elimination or reduction.
7.9 Develop remediation proposals.
When the results of the risk assessment
indicate that risk elimination, reduction,
or control measures are to be taken to
achieve acceptable risk levels:
7.9.1 Alternate proposals for the
design and operational changes necessary
to achieve an acceptable risk level would
be recommended.
7.9.2 The actions as shown in the hierarchy of controls (Section 13.0) would be the
base upon which remedial proposals are
made, in the order of their effectiveness.
7.9.3 Remediation cost for each proposal would be determined and an estimate would be given of its effectiveness
in achieving risk reduction.
7.9.4 Risk elimination or reduction
methods would be selected and implemented to achieve an acceptable risk level.
7.10 Follow up on actions taken.
TABLE 1 Risk Assessment Matrix
Although a hazard analysis and a risk
assessment results from applying the
Occurrence
Severity of Consequence
steps in the preceding outline, good manCatastrophic
Critical
Marginal
Negligible
Probability
agement requires that the effectiveness of
Frequent
High
High
Serious
Medium
the actions taken be determined. FollowProbable
High
High
Serious
Medium
up activity would determine that the:
Occasional
High
Serious
Medium
Low
7.10.1 The hazard/risk problem was
Remote
Serious
Medium
Medium
Low
resolved, only partially resolved, or not
Improbable
Medium
Medium
Medium
Low
resolved.
7.10.2 Actions taken did or did not
create new hazards.
TABLE 2 Risk Assessment Matrix: Numerical Gradings
7.10.3 If an acceptable
risk level is not achieved, Severity Levels
Occurrence Probabilities & Values
or if new hazards are
& Values
Frequent (5) Likely (4) Occasional (3) Seldom (2) Unlikely (1)
introduced, the risk is to Catastrophic(5) 25
20
15
10
5
be re-evaluated and other Critical (4)
20
16
12
8
4
countermeasures are to
Marginal (3)
15
12
9
6
3
be proposed.
Negligible (2)
10
8
6
4
2
7.11 Document the
Insignificant (1) 5
4
3
2
1
results. Documentation,
Very high risk: 15 or greater High risk: 9 to 14 Moderate risk: 4 to 8
Low risk: Under 4
whether compiled under
the direction of location
management or by the
8.2 If the residual risk is not acceptrisks, and to effectively allocate mitigaprovider of equipment or services, should able, the action outline set forth in the
tion resources. Safety practitioners must
include comments on the:
foregoing hazard analysis and risk assess- understand that definitions of the terms
7.11.1 Risk assessment method(s) used. ment process (7.0) would be applied
used for incident probability and severity
7.11.2 Hazards identified.
again. (Addendum A is an outline of one
and for risk levels vary greatly in the
7.11.3 Risks deriving from the hazards.
company’s risk assessment process.)
many risk assessment matrices in use.
7.11.4 Reduction measures taken to
9.2 Thus, safety practitioners should
attain acceptable risk levels.
9.0 Risk Assessment Matrices
create and obtain broad approval for a risk
9.1 A risk assessment matrix provides
assessment matrix that is suitable to the
a method to categorize combinations of
8.0 Residual Risk
hazards and risks with which they deal.
probability of occurrence and severity of
8.1 Residual risk is the risk remaining
9.3 Three examples of risk assessment
harm, thus establishing risk levels. A
after preventive measures have been
matrices are provided here to serve as refmatrix helps in communicating with decitaken. No matter how effective the preerences.
sion makers on risk reduction actions to
ventive actions, there will always be
9.3.1 Table 1 is an adaptation from a
be taken. Also, risk assessment matrices
residual risk if an activity continues.
matrix in MIL-STD-882 D, the Departcan be used to compare and prioritize
Attaining zero risk is not possible.
ment of Defense Standard Practice for
System Safety. (MIL-STD-882, first
issued in 1969, is the grandfather of risk
TABLE 3 Risk Assessment Matrix: ANSI B11.TR3-2000
assessment matrices.)
Occurrence
Severity of Harm
9.3.2 This second exhibit of a risk
Catastrophic
Serious
Moderate
Minor
Probability
assessment matrix (Table 2) is a composite
Very likely
High
High
High
Medium
of matrices that include numerical values
Likely
High
High
Medium
Low
for probability and severity levels that are
Unlikely
Medium
Medium
Low
Negligible
transposed into risk scorings. It is presented
Remote
Low
Low
Negligible
Negligible
here for people who prefer to deal with
numbers rather than qualitative indicators.
(A word of caution: The numbers are
arrived at judgmentally and are qualitative.)
TABLE 4 Management Decision Levels
9.3.3 Table 3 is taken from the Risk
Risk Category
Remedial Action or Acceptance
Estimation Matrix that appears in ANSI
High
Operation not permissible.
B11.TR3-2000, the ANSI Technical
Report titled Risk Assessment and Risk
Serious
Remedial action to have high priority.
Reduction: A Guide to Estimate, Evaluate
Medium
Remedial action to be taken in appropriate time.
and Reduce Risks Associated with
Low
Risk is acceptable; remedial action discretionary.
continued on page 6
By Design 5
continued from page 5
Machine Tools. It is the basis on which
the risk assessments shown in Addendum
B were made.
10.0 Management Decision Levels
10.1 Remedial action or acceptance levels must be attached to the risk categories
to permit intelligent management decisionmaking. Table 4 provides a basis for
review and discussion. Other safety practitioners who craft risk assessment matrices
may have differing ideas about acceptable
risk levels and the management actions to
be taken in a given risk situation.
11.0 Descriptions of the Terms:
Probability & Severity
11.1 There is no one right method in
selecting probability (likelihood) and
severity categories and their descriptions,
and many variations are in use. Examples
in Tables 5 through 8 show variations in
the terms and their descriptions as used in
applied risk assessment processes for
probability of occurrence and severity of
consequence.
Hazard Identification & Evaluation
Techniques for System Safety
Applications.” In the System Safety
Analysis Handbook, 101 methods are
described. Brief descriptions are given
here of purposely selected hazard analysis
techniques.
If a safety practitioner understands all
of them and is capable of bringing them
to bear in resolving hazards and risk situations, he or she will be exceptionally
well qualified to give counsel on risk
assessments. As a practical matter, having
knowledge of three risk assessment concepts will be sufficient to address most
risk situations. They are initial hazard
analysis and risk assessment; the whatif/checklist analysis methods; and failure
mode and effects analysis (FMEA).
12.2 It is important to understand that
each of those techniques complements,
rather than supplants, the others.
Selecting the technique or a combination
of techniques to be used to analyze a hazardous situation requires good judgment
based on knowledge and experience.
12.3 Qualitative rather than quantitative judgments will prevail. For all but the
complex risks, qualitative judgments will
be sufficient.
12.0. Descriptions of Hazards Analyses
& Risk Assessment Techniques
12.4 Sound quantitative data on incident and exposure probabilities is seldom
available. Many quantitative risk assess12.1 Over the past 40 years, many
hazard analysis and risk assessment tech- ments are really qualitative risk assessments because so many judgments must
niques have been developed. For exambe made in the process to decide on the
ple, Pat Clemens gave brief descriptions
probability levels selected.
of 25 techniques in “A Compendium of
12.5
Preliminary
TABLE 5 Probability Descriptions: Example A
Hazard
Descriptive Word
Probability Descriptions
Analysis
Frequent
Likely to occur repeatedly
(PHA): Initial
Probable
Likely to occur several times
Hazard
Occasional
Likely to occur sometime
Analysis and
Remote
Not likely to occur
Risk Assessment
Improbable
So unlikely, can assume occurrence
12.5.1 The
will not be experienced
origin of the
PHA techTABLE 6 Probability Descriptions: Example B nique is in system safety. It
Descriptive Word
Probability Descriptions
was to identify
Frequent
Could occur annually
and evaluate
Likely
Could occur once in 2 years
hazards in the
Possible
Not more than once in 5 years
very early
Rare
Not more than once in 10 years
stages of the
Unlikely
Not more than once in 20 years
design
process.
6 Special Issue Prevention through Design
However, in actual practice the technique
has attained much broader use. The principles on which preliminary hazards
analyses are based are used not only in
the initial design process, but also in
assessing the risks of existing products or
operations. Thus, the technique needs a
new name: Initial Hazard Analysis and
Risk Assessment. (Take note to avoid
confusion, for OSHA’s Rule For Process
Safety Management Of Highly
Hazardous Chemicals and for EPA’s Risk
Management Program for Chemical
Accidental Release Prevention, PHA
stands for process hazard analysis.)
12.5.2 Headings on initial hazard
analysis forms will include the typical
identification data: date, names of evaluators, department and location. The following information is usually included in an
initial hazard analysis process.
a) Hazard description, sometimes
called a hazard scenario.
b) Description of the task, operation,
system, subsystem or product analyzed.
c) Exposures to be analyzed: people
(employees, the public); facility, product
or equipment loss; operation down time;
environmental damage.
d) Probability interval to be considered: unit of time or activity; events; units
produced; life cycle.
e) Risk assessment code, using the
agreed upon risk assessment matrix.
f) Remedial action to be taken, if risk
reduction is needed.
12.5.3 A communication accompanies
the analysis, indicating the assumptions
made and the rationale for them.
Comment would be made on the assignment of responsibilities for the remedial
actions to be taken and expected completion dates. An initial hazard analysis and
risk assessment worksheet appears as
Addendum B in this paper, courtesy of
Design Safety Engineering Inc.
12.6 What-if analysis
12.6.1 For a what-if analysis, a group
of people (as little as two, but often several more) use a brainstorming approach to
identify hazards, hazard scenarios, failure
modes, how incidents can occur and their
probable consequences.
12.6.2 Questions posed during the
brainstorming session may commence
with what-if, as in “What if the air conditioning fails in the computer room?” or
may express general concerns, as in “I
worry about the possibility of spillage
TABLE 7 Severity Descriptions for Multiple Harm
& Damage Categories: Example A
Catastrophic
Critical
Marginal
Negligible
Death or permanent total disability, system loss, major
property damage and business down time
Permanent, partial or temporary disability in excess of
3 months, major system damage, significant property damage and downtime
Minor injury, lost workday accident, minor system damage,
minor property damage and little downtime
First-aid or minor medical treatment, minor system
impairment
TABLE 8 Severity Descriptions for Multiple Harm
& Damage Categories: Example B
Catastrophic
Critical
Marginal
Negligible
One or more fatalities, total system loss, chemical release
with lasting environmental or public health impact
Disabling injury or illness, major property damage and
business down time, chemical release with temporary environmental or public health impact
Medical treatment or restricted work, minor subsystem loss
or damage, chemical release triggering external reporting
requirements
First aid only, non-serious equipment or facility damage, chemical release requiring only routine cleanup without reporting
and chemical contamination during truck
offloading.”
12.6.3 All of the questions are recorded,
and assigned for investigation. Each subject of concern is then addressed by one or
more team members. They would consider
the potential of the hazardous situation and
the adequacy or inadequacy of risk controls in effect, suggesting additional risk
reduction measures if appropriate.
12.7 Checklist analysis
12.7.1 Checklists are primarily adaptations from published standards, codes,
and industry practices. There are many
such checklists. They consist of questions
pertaining to the applicable standards and
practices, usually with a yes or no or not
applicable response. Their purpose is to
identify deviations from the expected, and
thereby possible hazards. A checklist
analysis requires a walk-through of the
area to be surveyed. Checklists are easy
to use and provide a cost-effective way to
identify customarily recognized hazards.
12.7.2 Nevertheless, the quality of
checklists depends on the experience of
the people who develop them. Further,
they must be crafted to suit particular
facility/operations needs. If a checklist is
incomplete, the analysis may not identify
some hazardous situations.
12.8 What-if/checklist analysis
12.8.1 A what-if/checklist hazard
analysis technique combines the creative,
brainstorming aspects of the What-If
method with the systematic approach of a
Checklist. Combining the techniques can
compensate for the weaknesses of each.
12.8.2 The what-if part of the process,
using a brainstorming method, can help
the team identify hazards that have the
potential to be the causal factors for incidents, even though no such incidents have
yet occurred. The checklist provides a
systematic approach for review that can
serve as an idea generator during the
brainstorming process. Usually, a team
experienced in the design, operation, and
maintenance of the operation performs
the analysis.
12.9 Hazard and operability analysis
12.9.1 The hazard and operability
analysis (HAZOP) technique was developed to identify both hazards and oper-
ability problems in chemical process
plants. It has subsequently been applied
to a wide range of industry processes and
equipment. An interdisciplinary team and
an experienced team leader are required.
12.9.2 In a HAZOP application, a
process or operation is systematically
reviewed to identify deviations from
desired practices that could lead to
adverse consequences. HAZOPs can be
used at any stage in the life of a process.
12.9.3 HAZOPs usually require prework in gathering materials and a series
of meetings in which the team, using
process drawings, systematically evaluates the impact of deviations from the
desired practices. The team leader uses a
set of guide words to develop discussions.
12.9.4 As the team reviews each step
in a process, recordings are made of:
a) deviations;
b) their causal factors;
c) consequences should an incident
occur;
d) safeguards in place;
e) required actions, or the need for more
information to evaluate the deviation.
12.10 Failure modes & effects analysis
12.10.1 In several industries, failure
modes and effects analyses (FMEA) have
been the techniques of choice by design
engineers for reliability and safety considerations. They are used to evaluate the
ways in which equipment fails and the
response of the system to those failures.
12.10.2 Although FMEA is typically
made early in the design process, the
technique can also serve well as an analysis tool throughout the life of equipment
or a process.
12.10.3 An FMEA produces qualitative,
systematic lists that include the failure
modes, the effects of each failure, safeguards that exist, and additional actions
that may be necessary. For example, for a
pump, the failure modes would include
fails to stop when required; stops when
required to run; seal leaks or ruptures; and
pump case leaks or ruptures.
12.10.4 Both the immediate effects
and the impact on other equipment would
be recorded. Generally, when analyzing
impacts, the probable worst case is
assumed and analysts would conclude
that existing safeguards do or do not
work. Although an FMEA can be made
by one person, it is typical for a team to
be appointed when there is complexity.
continued on page 8
By Design 7
continued from page 7
12.10.5 In either case, the traditional
process is similar, as in the following.
a) Identify the item or function to be
analyzed
b) Define the failure modes
c) Record the failure causes
d) Determine the failure effects
e) Enter a severity code and a probability code for each effect
f) Enter a risk code
g) Record the actions required to
reduce the risk to an acceptable level
12.10.6 The FMEA process described
here requires entry of probability, severity, and risk codes. A FMEA form on
which those codes would be entered is
provided here as Addendum C.(Good references explaining risk coding for FMEA
purposes are the reference manual titled
Potential Failure Mode and Effects
Analysis issued by the Automotive
Industry Action Group; and the semiconductor industry publication Failure Mode
and Effects Analysis (FMEA): A Guide
for Continuous Improvement for the
Semiconductor Equipment Industry.)
12.11 Fault tree analysis
12.11.1 A fault tree analysis (FTA) is a
top-down, deductive logic model that traces
the failure pathways for a predetermined,
undesirable condition or event, called the
TOP event. An FTA can be carried out
either quantitatively or subjectively.
12.11.2 It is emphasized that a subjective (or qualitative) analysis can produce
suitable results, especially when quantitative numbers are not available. The FTA
generates a fault tree (a symbolic logic
model) entering failure probabilities for
the combinations of equipment failures
and human errors that can result in the
accident. Each immediate causal factor is
examined to determine its subordinate
causal factors until the root causal factors
are identified.
12.11.3 The strength of an FTA is its
ability to identify combinations of basic
equipment and human failures that can
lead to an accident, allowing the analyst
to focus preventive measures on significant basic causes.
12.11.4 An FTA has particular value
when analyzing highly redundant systems
and high-energy systems in which highseverity events can occur. For systems
vulnerable to single failures that can lead
to accidents, the FMEA and HAZOP
techniques are better suited.
12.11.5 FTA is often used when another technique has identified a hazardous
situation that requires more detailed
analysis. Making a fault tree analysis of
other than the simplest systems requires
the talent of experienced analysts.
12.12 Management oversight and
risk tree
12.12.1 All of the hazard analysis and
risk assessment techniques previously
discussed relate principally to the initial
design process in the pre-operational
mode, or to the redesign process to
achieve risk reduction in the operational
mode. Management Oversight and Risk
Tree (MORT) is relative to the post-incident element of the practice of safety.
12.12.2 MORT was developed principally for incident investigations. In the
Abstract for the Guide To Use Of The
Management Oversight And Risk Tree,
this is how MORT is described:
MORT is a comprehensive analytical
procedure that provides a disciplined
method for determining the systemic
causes and contributing factors of accidents. MORT directs the user to the hazards and risks deriving from both system
design and procedural shortcomings
(emphasis added).
12.2.3 MORT provides an excellent
resource for the post-incident element of
the practice of safety during which the
hazard identification and analysis and risk
assessment methods described here can
be used.
13.0 Hierarchy of Controls
13.1 A hierarchy is a system of persons or things ranked one above the other.
A hierarchy of controls provides a systematic way of thinking, considering
steps in a ranked and sequential order, to
choose the most effective means of eliminating or reducing hazards and the risks
that derive from them. Acknowledging
that premise—that risk reduction measures should be considered and taken in a
prescribed order—represents an important step in the evolution of the practice
of safety.
13.2 A major premise to be considered
in applying a hierarchy of controls is that
the outcome of the actions taken is to be
an acceptable risk level.
13.3 Acceptable risk, as previously
8 Special Issue Prevention through Design
defined, is that risk for which the probability of a hazard-related incident or
exposure occurring and the severity of
harm or damage that could result are as
low as reasonably practicable, and tolerable in the situation being considered.
13.4 That definition requires taking
into consideration:
a) avoiding, eliminating or reducing
the probability of a hazard-related incident or exposure occurring;
b) reducing the severity of harm or
damage that may result, if an incident or
exposure occurs;
c) the feasibility and effectiveness of
the risk reduction measures to be taken,
and their costs, in relation to the amount
of risk reduction to be achieved.
13.5 Decision makers should understand that, with respect to the six levels of
action shown in the hierarchy of controls
in 13.6 that:
13.5.1 The ameliorating actions described in the first, second, and third action
levels are more effective because they:
a) are preventive actions that eliminate
or reduce risk by design, substitution, and
engineering measures;
b) rely the least on the performance of
personnel;
c) are less defeatable by supervisors or
workers.
13.5.2 Actions described in the fourth,
fifth and sixth levels are contingent
actions and rely greatly on the performance of personnel for their effectiveness.
13.6 The following hierarchy of controls is considered state-of-the-art. It is
compatible with the hierarchy of controls
in ANSI/AIHA Z10-2005.
a) Eliminate or reduce risks in the
design and redesign processes.
b) Reduce risks by substituting less
hazardous methods or materials.
c) Incorporate safety devices.
d) Provide warning systems.
e) Apply administrative controls (work
methods, training, work scheduling, etc.).
f) Provide PPE.
14.0. The Logic of Taking Action
in the Order Given
Comments follow on each of the
action elements listed in the preceding hierarchy of controls, including
the rationale for listing actions to
be taken in the order given. Taking
actions in the prescribed order, as
feasible and practicable, is the most
effective means to achieve risk
reduction.
14.1 Eliminate or reduce risks in the
design and redesign processes
14.1.2 The theory is plainly stated. If
hazards are eliminated in the design and
redesign processes, risks that derive from
those hazards are also eliminated. But, elimination of hazards completely by modifying
the design may not always be practicable.
Then, the goal is to modify the design, within practicable limits, so that the:
a) probability of personnel making
human errors because of design inadequacies is at a minimum;
b) ability of personnel to defeat the
work system and the work methods prescribed, as designed, is at a minimum
Examples are designing to eliminate
or reduce the risk from fall hazards;
ergonomic hazards; confined space entry
hazards; electrical hazards; noise hazards;
and chemical hazards.
14.2 Substitution of less hazardous
methods or materials
14.2.1 Substitution of a less hazardous
method or material may or may not result
in equivalent risk reduction in relation to
what might be the case if the hazards and
risks were reduced to a practical minimum through system design or redesign.
Consider this example.
Considerable manual material handling
is necessary in a mixing process for chemicals. A reaction takes place and an employee sustains serious chemical burns. There
are identical operations at two of the company’s locations. At one, the operation is
re-designed so that it is completely
enclosed, automatically fed, and operated
by computer from a control panel, thus
greatly eliminating operator exposure.
At the other location, funds for doing
the same were not available. To reduce the
risk, it was arranged for the supplier to premix the chemicals before shipment (substitution). Some mechanical feed equipment
for the chemicals was also installed. The
risk reduction achieved by substitution was
not equivalent to that attained by re-designing the operation. Additional administrative
controls had to be applied.
Methods that illustrate substituting less
hazardous methods, materials, or processes for that which is more hazardous
include using automated material handling equipment rather than manual material handling; providing an automatic feed
system to reduce machine hazards; using
a less hazardous cleaning material; reduce
speed, force, amperage; reduce pressure,
temperature; replace an ancient steam
heating system and its boiler explosion
hazards with a hot air system.
14.3 Incorporate safety devices
14.3.1 When safety devices are incorporated in the system in the form of engineering controls, substantial risk
reduction can be achieved.
14.3.2 Engineered safety devices are to
prevent access to the hazard by workers.
They are to separate hazardous energy
from the worker and deter worker error.
Examples are machine guards; interlock systems; circuit breakers; start-up
alarms; presence-sensing devices; safety
nets; ventilation systems; sound enclosures; fall prevention systems; and lift
tables, conveyors and balancers.
14.4 Warning systems
14.4.1 Warning system effectiveness
relies considerably on administrative controls, such as training, drills, and the quality
of maintenance, and the reactions of people.
14.4.2 Although vital in many situations, warning systems may be reactionary in that they alert persons only
after a hazard's potential is in the process
of being realized (e.g., a smoke alarm).
Examples are smoke detectors; alarm
systems; backup alarms; chemical detection systems; signs; and alerts in operating procedures or manuals.
14.5 Administrative controls
14.5.1 Administrative controls rely on
the methods chosen as appropriate in relation to the needs, the capabilities of people responsible for their delivery and
application, the quality of supervision, and
the expected performance of the workers.
Some administrative controls are personnel selection; developing and applying
appropriate work methods and procedures; training; supervision; motivation,
behavior modification; work scheduling;
job rotation; scheduled rest periods;
maintenance; management of change;
investigations; and inspections.
14.5.3 Achieving a superior level of
effectiveness in all of these administrative
methods is difficult and not often attained.
14.6 Provide PPE
14.6.1 The proper use of personal protective equipment relies on an extensive
series of supervisory and personnel actions,
such as the identification of the type of
equipment needed, its selection, fitting,
training, inspection, maintenance, etc.
Examples include safety glasses; face
shields; respirators; welding screens; safety shoes; gloves; and hearing protection.
14.6.2 Although the use of personal
protective equipment is common and is
necessary in many occupational situations,
it is the least effective method to deal with
hazards and risks. Systems put in place
for their use can easily be defeated.
14.6.3 In the design processes, one of
the goals should be to reduce reliance on
personal protective equipment to a practical
minimum, applying the ALARP concept.
14.7 For many risk situations, a combination of the risk management methods
shown in the hierarchy of controls is necessary to achieve acceptable risk levels. But
the expectation is that consideration will be
given to each step in a descending order
and that reasonable attempts will be made
to eliminate or reduce hazards and their
associated risks through steps higher in the
hierarchy before lower steps are considered. A lower step is not to be chosen until
practical applications of the preceding level
or levels are exhausted.
14.8 A yet unpublished document,
MIL-STD-882E, includes provisions that
further explain the thought process that
should govern when the hierarchy of controls is applied. Excerpts follow from the
“System safety mitigation order of precedence” in 882E.
14.8.1 In reducing risk, the cost, feasibility and effectiveness of candidate mitigation methods should be considered. In
evaluating mitigation effectiveness, an
order of precedence generally applies as
follows.
a) Eliminate hazard through design
selection. Ideally, the risk of a hazard
should be eliminated. This is often done
by selecting a design alternative that
removes the hazard altogether.
b) Reduce mishap risk through design
alteration. If the risk of a hazard cannot be
eliminated by adopting an alternative
design, design changes should be considered that reduce the severity and/or the
probability of a harmful outcome.
c) Incorporate engineered safety features (ESF). If unable to eliminate or adequately mitigate the risk of a hazard
through a design alteration, reduce the
risk using an ESF that actively interrupts
the mishap sequence.
continued on page 10
By Design 9
continued from page 9
d) Incorporate safety devices. If unable
to eliminate or adequately mitigate the
hazard through design or ESFs, reduce
mishap risk by using protective safety
features or devices.
e) Provide warning devices. If design
selection, ESFs, or safety devices do not
adequately mitigate the risk of a hazard,
include a detection and warning system to
alert personnel to the presence of a hazardous condition or occurrence of a hazardous event.
f) Develop procedures and training.
Where other risk reduction methods cannot adequately mitigate the risk from a
hazard, incorporate special procedures
and training. Procedures may prescribe
the use of personal protective equipment.
15.0 Conclusion
15.1 It would be folly for safety professionals to ignore the impact of the
Prevention through Design/Safety
through Design movement on their
knowledge needs. It is becoming evident
that it’s all about risk, about being able to
identify and analyze hazards and assess
the risks deriving from them. The entirety
of purpose of those responsible for safety,
whatever their titles, is to deal with hazards so that the risks deriving from those
hazards are acceptable
15.2 This paper is a primer on
PtD/Safety through design. An extensive
list of references follows for those who
would like to continue their education.
References
ANSI/AIHA Z10-2005. Occupational
Health and Safety Management Systems.
Fairfax, VA: American Industrial Hygiene
Association, 2005. www.aiha.org/marke
tplace.htm.
ANSI/PMMI B155.1-2006. Safety
Requirements for Packaging Machinery
and Packaging-Related Converting
Machinery. Arlington, VA: Packaging
Machinery Manufacturers Institute, 2006.
ANSI B11.TR3-2000. Risk Assessment and Reduction: A Guide to Estimate, Evaluate and Reduce Risks
Associated with Machine Tools. McLean,
VA: AMT, The Association for
Manufacturing Technology, 2000.
“ASSE Position Paper On Designing
for Safety”. Approved by the Board of
Directors in 1994. Des Plaines, IL: ASSE.
Aviation Ground Operation Safety
Handbook (6th ed.) Itasca, IL: National
Safety Council, 2007.
Clemens, P. “A Compendium of Hazard
Identification and Evaluation Techniques
for System Safety Application.” Hazard
Prevention, March/April, 1982.
Christensen, W.C. & Manuele, F.A.
Safety Through Design. Itasca, IL:
National Safety Council
Christensen, W.C. “Retrofitting for
Safety: Career implications for SH&E personnel.” Professional Safety, May 2007.
Christensen, W.C. Safety Through
Design: Helping design engineers
answer10 key questions. Professional
Safety, March 2003.
Failure Mode and Effects Analysis: A
Guide for Continuous Improvement for
the Semiconductor Equipment Industry.
Technology Transfer #92020963A-ENG.
Austin, TX: International SEMATECH,
1992. Available at www.sematech.org.
Guidance Document for Incorporating
Risk Concepts into NFPA Codes and
Standards. Quincy, MA: The Fire
Protection Research Foundation, 2007.
Guide to Use of the Management Oversight and Risk Tree. SSDC-103. Washington, DC: Department of Energy, 1994.
Guidelines for Hazard Evaluation
Procedures, 2nd ed. with worked examples. A Center for Chemical Process Safety
1992 publication, now available through
John Wiley & Sons, Hoboken, NJ.
ISO 12100-1. Safety of Machinery:
Basic concepts, general principles for
design. Part 1. Basic terminology, methodology. Geneva, Switzerland: International
Organization for Standardization, 2003.
ISO 14121. Safety of Machinery:
Principles for risk assessment. Geneva,
Switzerland: International Organization
for Standardization, 1999.
Main, B. Risk Assessment: basics and
benchmarks. Ann Arbor, MI: Design
Safety Engineering Inc, 2004.
Main, B. “Risk assessment is coming.
Are you ready?” Professional Safety, July
2002.
Main, B. “Risk assessment: A review
of the fundamental principles.” Professional Safety, December 2004.
Manuele, F.A. Advanced Safety
Management: Focusing on Z10 and
Serious Injury Prevention. Hoboken, NJ:
John Wiley & Sons, 2007.
Manuele, F.A. “ANSI/AIHA Z102005: The new benchmark for safety
management systems.” Professional
Safety, February 2006.
Manuele, F.A. On the Practice of
Safety, 3rd ed. Hoboken, NJ: John Wiley
& Sons, 2003.
Manuele, F.A. “Risk Assessments and
Hierarchies of Control.” Professional
Safety, May 2005.
MIL-STD-882D. Standard Practice for
System Safety. Washington: DC:
Department of Defense, 2000. Also at
http://www.safetycenter.navy.mil/instructions/osh/milstd882d.pdf#search='MILSTD882D’.
Potential Failure Mode and Effects
Analysis. Southfield, MI: Automotive
Industry Action Group, 3rd ed., 2001.
SFPE Engineering Guide to Fire Risk
Assessment. Bethesda, MD: The Society
of Fire Protection Engineers, 2006.
Stephans, R. & Talso, W.W., eds.
System safety analysis handbook: a
sourcebook for safety practitioners.
Albuquerque, NM: New Mexico Chapter,
System Safety Society, 1997.
Stephans, R.A. System safety for the
21st century. Hoboken, NJ: John Wiley &
Sons, 2004
Swain, A.D. “Work situation approach
to improving job safety.” Albuquerque,
NM: Sandia Laboratories.
Vincoli, J.W. Basic guide to system
safety. Hoboken, NJ: John Wiley & Sons,
1993.
ANSI/AIHAZ10 Is Here
ANSI/AIHA Z10:
Occupational Health and Safety Management Systems
10 Special Issue Prevention through Design
Call ASSE at (847) 699-2929 or visit www.asse.org.
ADDENDUM A The Risk Assessment Process
1) Data gathering
Injury and proactive data
2) Set the limits/scope of the strategy
leadership team sponsorship
3) Develop and charter risk
reduction team
Reevaluate tasks
and hazards
4) Identify tasks and hazards
Identify current
controls
5) Assess risk—Initial risk
scoring system
6) Reduce risk
Hazard control hierarchy
7) Assess risk—Residual risk
scoring system
No
Test/verify
current controls
Identify new
controls
Residual risk
acceptable?
Yes
8) Results/documentation
Evaluation complete
10) New hazard
ID
9) Controls measurement system
By Design 11
ADDENDUM B Initial Hazard Analysis & Risk Assessment Worksheet
12 Special Issue Prevention through Design
ADDENDUM C Potential Failure Modes & Effects Analysis Sequence
Subsystem
Function
Reqt’s
Potential
Effect(s)
of Failure
Potential
Failure Mode
What are the
effect(s)?
S
E
V
C
l
a
s
s
Potential
Cause(s)/
Mechanisms
of Failure
O
D
Responsibility
c
Current
e R. Recommended
& Target
c
t P.
Controls
Action(s)
Completion
u
e N.
Date
r Prevention Direction c
How
bad is
it?
Action Results
Actions
Taken
S O D R.
e c e P.
v c t N.
What can be
done?
•Design
changes
What are the
functions, features
or requirements?
•Process
changes
What are the
causes?
How often
does it
happen?
What can go
wrong?
•Special
controls
•Changes to
standards,
procedures
or guides
•No function
•Partial/over/
degraded function
•Intermittent
function
•Unintended
function
How can this be
prevented and
detected?
How good is
the method at
detecting it?
Note: Reprinted from Potential Failure Mode & Effect Analysis (3rd ed.) with permission of DaimlerChrysler, Ford and GM Supplier
Quality Requirements Task Force.
By Design 13

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz